© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring a DMVPN

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DMVPN Relies on: IPsec profiles NHRP mGRE Benefits: Hub router configuration reduction Automatic IPsec encryption initiation Support for dynamically addressed spoke routers Dynamic tunnel creation for spoke-to-spoke tunnels

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Single DMVPN Topology Hub 1 (Primary) Hub 2 (Backup) DMVPN 1 (Subnet 1) Branch Subnet Corporate Subnet Branch Subnet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Dual DMVPN Topology Hub 1 (Primary) Hub 2 (Backup) DMVPN 2 (Subnet 2) DMVPN 1 (Subnet 1) Branch Subnet Corporate Subnet Branch Subnet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DMVPN Deployment Models Hub-to-Spoke Tunnels Static IP Address Dynamic Spoke-to-Spoke Tunnels Address Query NHRP Server Address Query Dynamic or Static IP Addresses Hub-and-Spoke Spoke-to-Spoke

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DMVPN Configuration Tasks ISAKMP and IPsec configuration Tunnel protection configuration –IPsec profiles Tunnel interface configuration –mGRE configuration –NHRP configuration Routing protocol configuration

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)#crypto isakmp policy 10 router(config-isakmp)#hash md5 router(config-isakmp)#encryption 3des router(config-isakmp)#authentication pre-share router(config)#crypto isakmp key cisco123 address router(config)#crypto ipsec transform-set MINE esp-3des ISAKMP and IPsec Hub Router Spoke Routers

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IPsec Profile Hub Router Spoke Routers router(config)#crypto ipsec profile DMVPN router(ipsec-profile)#set transform-set MINE

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DMVPN Example Spoke B /24.1 Web.37 Spoke A /24.1 PC /24.1 Physical: Tunnel0: Physical: Tunnel0: Physical: Tunnel0:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Spoke B /24.1 Web.37 Spoke A /24.1 PC / Physical: Tunnel0: Physical: Tunnel0: Physical: Tunnel0: DMVPN Example (Cont.) = Dynamic and Temporary spoke-to-spoke IPsec tunnels

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DMVPN Example (Cont.)... = Dynamic and Temporary spoke-to-spoke IPsec tunnels Spoke B /24.1 Web.37 Spoke A /24.1 PC /24.1 Physical: Tunnel0: Physical: Tunnel0: Physical: Tunnel0:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v = Dynamic and Temporary spoke-to-spoke IPsec tunnels DMVPN Example (Cont.) Spoke B /24.1 Web.37 Spoke A /24.1 PC /24.1 Physical: Tunnel0: Physical: Tunnel0: Physical: Tunnel0:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v = Dynamic and Temporary spoke-to-spoke IPsec tunnels DMVPN Example (Cont.) Spoke B /24.1 Web.37 Spoke A /24.1 PC /24.1 Physical: Tunnel0: Physical: Tunnel0: Physical: Tunnel0:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DMVPN Routing Tables C /30 is directly connected, Serial1/0 C /24 is directly connected, Tunnel0 C /24 is directly connected, Ethernet0/0 D /24 [90/ ] via , 22:39:04, Tunnel0 D /24 [90/ ] via , 22:39:10, Tunnel0... S* /0 [1/0] via C /30 is directly connected, Serial1/0 C /24 is directly connected, Tunnel0 D /24 [90/ ] via , 00:03:58, Tunnel0 C /24 is directly connected, Ethernet0/0 D /24 [90/ ] via , 00:02:02, Tunnel0... S* /0 is directly connected, Serial1/0 C /30 is directly connected, Serial1/0 C /24 is directly connected, Tunnel0 D /24 [90/ ] via , 00:03:43, Tunnel0 D /24 [90/ ] via , 00:03:43, Tunnel0 C /24 is directly connected, Ethernet0/0... S* /0 is directly connected, Serial1/0 Spoke A Spoke B Hub

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v DMVPN NHRP Mapping Tables Hub1#show ip nhrp /32 via , Tunnel0 created 5d18h, expire 00:05:38 Type: dynamic, Flags: authoritative unique registered NBMA address: /32 via , Tunnel0 created 5d18h, expire 00:05:24 Type: dynamic, Flags: authoritative unique registered NBMA address: SpokeB#show ip nhrp /32 via , Tunnel0 created 00:14:08, never expire Type: static, Flags: authoritative used NBMA address: /32 via , Tunnel0 created 00:03:41, expire 00:00:16 Type: dynamic, Flags: router unique used NBMA address: Hub SpokeB#show ip nhrp /32 via , Tunnel0 created 00:13:16, never expire Type: static, Flags: authoritative used NBMA address: /32 via , Tunnel0 created 00:01:28, expire 00:03:23 Type: dynamic, Flags: router unique NBMA address: Spoke A Spoke B

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IPsec Profile R1(config)# crypto ipsec transform-set MINE esp-3des esp-md5-hmac R1(config)# crypto ipsec set profile DMVPN R1(ipsec-profile)# set transform-set MINE R1(ipsec-profile)# security association lifetime seconds R1(ipsec-profile)# set pfs group2

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Routing Protocols EIGRP –no eigrp next-hop-self –ip hold-time eigrp –no ip split-horizon eigrp –eigrp stub connected OSPF –ip ospf network broadcast –ip ospf hello-interval –ip ospf priority –area stub no-summary RIPv2 –no ip split-horizon –No auto-summary

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)#interface Tunnel 0 router(config-if)#ip address router(config-if)#ip mtu 1416 router(config-if)#no ip next-hop-self eigrp 1 router(config-if)#ip nhrp authentication cisco123 router(config-if)#ip nhrp map multicast dynamic router(config-if)#ip nhrp network-id 99 router(config-if)#no ip split-horizon eigrp 1router(config-if)#tunnel source FastEthernet 0/1 router(config-if)#tunnel key 999 router(config-if)#tunnel mode gre multipoint router(config-if)#tunnel protection ipsec profile DMVPN router(config)#router eigrp 1 router(config-router)#network router(config-router)#no auto-summary Hub Configuration Hub Router Spoke Routers Fa0/1: Tunnel 0: / / / /24

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Hub Configuration (Cont.) Hub Router Spoke Routers Fa0/1: Tunnel 0: / / / /24 router(config)#interface Tunnel 0 router(config-if)#ip address router(config-if)#ip mtu 1416 router(config-if)#no ip next-hop-self eigrp 1 router(config-if)#ip nhrp authentication cisco123 router(config-if)#ip nhrp map multicast dynamic router(config-if)#ip nhrp network-id 99 router(config-if)#no ip split-horizon eigrp 1router(config-if)#tunnel source FastEthernet 0/1 router(config-if)#tunnel key 999 router(config-if)#tunnel mode gre multipoint router(config-if)#tunnel protection ipsec profile DMVPN router(config)#router eigrp 1 router(config-router)#network router(config-router)#no auto-summary

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Spoke Configuration router(config)# interface Tunnel 0 router(config-if)#ip address X router(config-if)#ip mtu 1416 router(config-if)#no ip next-hop-self eigrp router(config-if)#ip nhrp authentication cisco123 router(config-if)#ip nhrp map router(config-if)#ip nhrp map multicast router(config-if)#ip nhrp nhs router(config-if)#ip nhrp network-id 99 router(config-if)#no ip split-horizon eigrp 1 router(config-if)#tunnel source FastEthernet 0/1 router(config-if)#tunnel key 999 router(config-if)#tunnel mode gre multipoint router(config-if)#tunnel protection ipsec profile DMVPN router(config)#router eigrp 1 router(config-router)#network router(config-router)#no auto-summary router(config-router)#eigrp stub connected Hub Router Spoke Routers Fa0/1: Tunnel 0: / / / /24

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying DMVPN router# show crypto map router# show crypto isakmp sa router# show crypto ipsec sa router# show ip nhrp router# show interfaces tunnel 0

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary The DMVPN feature combines GRE tunnels, IPsec encryption, and NHRP routing. There are several tasks required when implementing a DMVPN. There must be at least one matching ISAKMP policy and IPsec transform set between two potential crypto peers. IPsec profiles abstract IPsec policy information into a single configuration entity, which can be referenced by name from other parts of the configuration.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary (Cont.) Some considerations must be made when running dynamic routing protocols across the DMVPN. The DMVPN hub is typically located at the company headquarters. DMVPN spoke routers are typically located at branch offices of the company. There are several commands available to verify and troubleshoot DMVPN configuration and operation.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v